Eschelbeck's New "Laws of Vulnerabilities" Research Demonstrates Growing Threat to Internal Networks

Black Hat Briefings, Las Vegas, NV — July 28, 2004 — Gerhard Eschelbeck, CTO of Qualys™, Inc., the leading provider of on demand vulnerability management solutions, today unveiled new research as part of his well-known “Laws of Vulnerabilities,” analysis derived from the industry’s largest database of security vulnerability information. The research shows that significant improvement has been made during the last year in protecting networks at the perimeter but that systems within a corporate network are in greater jeopardy of being attacked.

Specifically, the data outlines that companies currently take 62 days to patch their internal systems, as opposed to 21 days for systems connected directly to the Internet. This window leaves internal systems and applications, such as Internet browsers and mail servers, vulnerable to attack. These and other trends were drawn from a statistical analysis of nearly 4 million critical vulnerabilities collected by 6.5 million scans during a two and a half-year period. Last year, the research was derived from 1.5 million scans during a one and a half-year period.

“Clearly, the research shows that there continues to be significant security concerns regarding internal networks. This is the first time we’ve had real data to show exactly how vulnerable these systems are. As an industry, we cannot focus only on the perimeter as this leaves our internal systems vulnerable to attack,” said Howard A. Schmidt, former cyber security advisor to the President. “Gerhard’s research provides a unique analysis of global vulnerability data that helps predict trends, identify threats and effectively protect networks.”

The full findings from the research can be found at www.qualys.com/laws and are summarized as follows:

1. Half-Life: The half-life identifies the length of time it takes users to patch half of their systems, reducing their window of exposure. The half-life of critical vulnerabilities for external systems is 21 days and for internal systems is 62 days. This number doubles with lowering degrees of severity.
2. Prevalence: 50 percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis. In other words, there is a constant flow of new critical vulnerabilities to manage.
3. Persistence: The lifespan of some vulnerabilities and worms is unlimited. In fact, the research shows significant spikes in the occurrence of Blaster and Nachi worm infections in 2004, months after they originally appeared.
4. Exploitation: The vulnerability-to-exploit cycle is shrinking faster than the remediation cycle. 80 percent of worms and automated exploits are targeting the first two half-life periods of critical vulnerabilities.

“We have made significant progress in shortening the window of exposure for external systems; however, the focus on internal systems must be addressed,” says Gerhard Eschelbeck, CTO and VP of Engineering for Qualys. “Vulnerabilities to Web browsers, data centers, mail servers and other internal systems show up consistently in our top list of the most critical vulnerabilities. In most cases, worms are circulating faster than systems being patched inside the network, and organizations have to be more aggressive about protecting their internal systems.“

In addition to providing trend data on vulnerabilities, Qualys is also publishing a real-time list of the top 10 most critical and prevalent vulnerabilities on both internal and external systems. As described above, the Law of Prevalence shows there is a constant flow of new critical vulnerabilities, requiring companies to stay ahead of changing threats. As a result, the “Top 10 Internal” and “Top 10 External” lists will be updated automatically and continuously. The Top 10 lists can be found online at www.qualys.com/top10.

About Qualys

With more than 2,000 subscribers ranging from small businesses to multinational corporations, Qualys has become the leader in on demand vulnerability management and policy compliance. The company allows security managers to strengthen the security of their networks effectively, conduct automated security audits and ensure compliance with internal policies and external regulations. Qualys’ on demand technology offers customers significant economic advantages, requiring no capital outlay or infrastructure to deploy and manage. Its distributed scanning capabilities and unprecedented scalability make it ideal for large, distributed organisations. Hundreds of large companies have deployed Qualys on a global scale, including AXA, DuPont, Hershey Foods, ICI Ltd, Novartis, Sodexho, Standard Chartered Bank and many others. Qualys is headquartered in Redwood City, California, with European offices in France, Germany and the U.K., and Asian representatives in Japan, Singapore, Australia, Korea and the Republic of China. For more information, please visit www.qualys.com.

Qualys, the Qualys logo and QualysGuard are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.

Media Contact:
Tami Casey
Qualys
media@qualys.com